Didier Stevens

Thursday 14 December 2017

Update: plugin_biff.py Version 0.0.2 / oledump.py Version 0.0.31

Filed under: maldoc,My Software,Update — Didier Stevens @ 0:00

This is an update to plugin_biff, the oledump plugin to parse the BIFF format (used in .xls files).

New options allow to search for opcodes (-o) and strings/bytes (-f) inside BIFF records:

 

oledump_V0_0_31.zip (https)
MD5: 63B2B5ECE2BC46B937D33A6494F7F6A0
SHA256: D2CF42662897642DF27C863F6C246CE70019EDF03F275354A7A505DCE27632D1

Monday 11 December 2017

New Tool: hash.py

Filed under: My Software — Didier Stevens @ 0:00

This is a new tool, it’s essentially a wrapper for the Python module hashlib: it calculates cryptographic hashes.

I needed this (block mode) for the analysis of a particular malware sample, to be explained in the next blog post.

 

hash_V0_0_1.zip (https)
MD5: 8ECC05DEFBD4AB494A37DE02615A8FE1
SHA256: 07A1ED7FD00FB18B616540CB108AA1D2134B07CC509E11257E4E43FFF9A185C2

Sunday 10 December 2017

Update: rtfdump.py Version 0.0.6

Filed under: My Software,Update — Didier Stevens @ 10:31

This new version of rtfdump.py adds extra information when analyzing the content of an RTF file:

  • Extra info for objects
  • Size longest contiguous hexadecimal string

rtfdump_V0_0_6.zip (https)
MD5: B4F9264F2431322F52BAAB834A5A144D
SHA256: C15918E89313D03F01BC8A3BCB68376B6E21558567BDFD81889F48196DC80986

Monday 27 November 2017

Update: pdfid.py Version 0.2.3

Filed under: My Software,PDF,Update — Didier Stevens @ 0:00

In this new version of pdfid.py, a new option was added: -n.

With this option, you can suppress output for names with a count of zero:

pdfid_v0_2_3.zip (https)
MD5: 65966E8BBF932D3C0830B755FDE094FE
SHA256: 9482176D173EFA6F2F33EE409B091BFA45685FC285B87F7219A4E9418B47F739

Monday 20 November 2017

Update: pcap-rename.py Version 0.0.2

Filed under: My Software,Update — Didier Stevens @ 0:00

pcap-rename.py is a program to rename pcap files with the timestamp of the first packet in the pcap file.

This new version supports big-endian pcap files.

pcap-rename_V0_0_2.zip (https)
MD5: 6EFFA5313946DEAF3363835B1D3C684E
SHA256: 3BA23CC936B49AF83306E486B0BFC9ABAF5BD0B5E3DEF81D8564BCC3810C06B9

Friday 10 November 2017

Update: numbers-to-string.py Version 0.0.3

Filed under: My Software,Update — Didier Stevens @ 22:56

This version has a man page now.

I use this tool to decode obfuscated strings in malicious scripts:

Usage: numbers-to-string.py [options] [expression [[@]file ...]]
Program to convert numbers into a string

Arguments:
@file: process each file listed in the text file specified
wildcards are supported

Source code put in the public domain by Didier Stevens, no Copyright
Use at your own risk
https://DidierStevens.com

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -m, --man             Print manual
  -o OUTPUT, --output=OUTPUT
                        Output to file
  -e, --error           Generate error when error occurs in Python expression
  -i, --ignore          Ignore numbers greater than 255
  -n NUMBER, --number=NUMBER
                        Minimum number of numbers (3 by default)
  -j, --join            Join output

Manual:

numbers-to-string.py is a Python program that reads texts files (as
arguments on the commandline, @here files or stdin), extract numbers
from these files and converts these to strings.
The first argument of numbers-to-string.py is a Python expression.
This Python expression can use variable n that represents each
extracted number.

Here is an example, with a script file (test.js) containing a list of
numbers:

C:\Demo>type test.js
a = (68, 105, 100, 105, 101, 114)

Running this script file through numbers-to-string.py with an empty
expression ("") converts the numbers to a string:

C:\Demo>numbers-to-string.py "" test.js
Didier

68 is the ASCII number of letter D, 105 is the ASCII number of letter
i, ...
numbers-to-string.py converts each number it extracts to a character,
and concatenates them into one string per line.

The same result can be obtained by using Python expression n, where n
represents the extracted numbers:

C:\Demo>numbers-to-string.py n test.js
Didier

The advantage of using a Python expression becomes obvious when the
numbers have been altered to obfuscate their meaning.

In the next example, 1 has been added to each number, making
straightforward conversion generate an unintelligible string:

a = (105, 117, 117, 113, 116, 59, 48, 48, 69, 106, 101, 106, 102, 115,
84, 117, 102, 119, 102, 111, 116, 47, 100, 112, 110)

C:\Demo>numbers-to-string.py n test.js
iuuqt;00EjejfsTufwfot/dpn

If we use the Python expression to substract 1 from each number (n -
1), then we can decode the string:

C:\Demo>numbers-to-string.py "n - 1" test.js
https://DidierStevens.com

For more complex operations, a lambda expression can be used. The
argument of the lambda expression is the list of numbers.
Here is an example from a real malicious document:

C:\Demo>numbers-to-string.py "lambda l: [b - 40 + i*2 for i, b in
enumerate(l)]" test.js
http://pmspotter.wz.cz/656465/d5678h9.exe

numbers-to-string.py will work line per line, as illustrated with this
example:

C:\Demo>type test.js
a = (68, 105, 100, 105, 101, 114)
b = (83, 116, 101, 118, 101, 110, 115)

C:\Demo>numbers-to-string.py n test.js
Didier
Stevens

With option -j, the output strings can be concatenated:

C:\Demo>numbers-to-string.py -j n test.js
DidierStevens

Output can be written to a file using option -o.

numbers-to-string.py needs at least 3 numbers per line to start
extracting. Lines with less than 3 numbers are ignored. 3 numbers is
the default minimum value, and can be changed using option -n.

Errors that occur when evaluating the Python expression will be
silently ignored. To have the tool raise these errors, use option -e.

If the resulting value of the expression is more than 255, an error
will be generated, unless option -i is used to ignore these errors.


numbers-to-string_v0_0_3.zip (https)
MD5: 6FD49062058E6A03A4A7BF3A3D26408A
SHA256: 9457AFA699B61DA52F07921D3F7AB486585036654D64AD126B933345E71BC07F

Monday 6 November 2017

Update: oledump.py Version 0.0.30

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of oledump.py detects and analyses orphaned streams. More info on orphaned streams can be found in this blogpost.

oledump_V0_0_30.zip (https)
MD5: BBD53C65FC40891E2125B9808F507E4A
SHA256: 78CDC8C8BCD651A3578F567D24FD88300600E02520B2D75F45448E4FB480FEB0

Sunday 5 November 2017

Update: pecheck.py Version 0.7.1

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of pecheck.py adds support for option -g to select a section:

 

pecheck-v0_7_1.zip (https)
MD5: D5907442424C527A9937CFA65377C9BD
SHA256: BF2F162D108F17F350111645B8DFFE5D3641065CB6EE3CE318FCBEC83507917B

Saturday 4 November 2017

Update: cut-bytes.py Version 0.0.6

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of cut-bytes.py brings a small cosmetic change to the way a hex/ASCII dump is displayed:

An extra space is added between the 8th and 9th byte of the hexdump. This was suggested to me by an attendee of the last private training I gave.
cut-bytes_V0_0_6.zip (https)
MD5: 7F726219F6F601018B4BD39E9A407728
SHA256: BFD80EF00455CD938A05A18EAA33551ABEC6B0298A0AEE81052E6F5A12BB86F7

Friday 3 November 2017

Update: byte-stats.py Version 0.0.7

Filed under: My Software,Update — Didier Stevens @ 20:59

My tool byte-stats.py calculates statistics for the files it analyzes. With option -l (and -p) , it produces a list of values for different parts of the file (buckets), for example a list of entropy values. With this, one can have an idea how the entropy changes inside a file.

But as the saying goes, a picture is worth a thousand words, so I added option -g to produce a very simple graph of these values (just a line, no axis or scale). This does not require any extra Python module, I use Python’s TkInter module, the standard GUI for Python.

byte-stats_V0_0_7.zip (https)
MD5: 9991B5C5BEB3CB7989FE6DC30789EB49
SHA256: 82198195EA9C92832027CC8E2E3ABE161787551A06750E042096CF2DF0AC9384

Next Page »

Blog at WordPress.com.